WHAT IS CLAIMED IS: 



1. A method for accessing a service in a distributed computing environment, 
comprising: 

a client receiving a capability credential, wherein said capability credential 
indicates that the client is allowed to access a portion of a first service's 
capabilities; 

the client using said capability credential to request an access interface document 
to access the first service; 

the client receiving said access interface document, wherein said access interface 
document comprises an interface for accessing only said portion of the 
first service's capabilities; and 

the client using the interface from said -access interface document to access a 
capability from said portion of the first service's capabilities. 

2. The method as recited in claim 1, wherein said using said capability credential to 
request an access interface document comprises sending an advertisement request 
message in a data representation language, wherein said advertisement request message 
includes said capability credential. 

3. The method as recited in claim 2, wherein said data representation language is 
extensible Markup Language (XML). 

4. The method as recited in claim 2, further comprising: 
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generating a custom advertisement in response to receiving said advertisement 
request message, said custom advertisement is generated according to said 
portion of the first service's capabilities that said capability credential 
indicates the client is allowed to access; and 

sending an advertisement request response message to the client, wherein said 
advertisement request response message includes said custom 
advertisement as said access interface document. 

5. The method as recited in claim 4, wherein said custom advertisement specifies an 
XML schema defining messages to be sent by the client to the first service and messages 
to be sent from the first service to the client to use said portion of the first service's 
capabilities. 

6. The method as recited in claim 1, further comprising the client receiving a 
protected advertisement for the first service, wherein said protected advertisement 
provides an address to request said security credential, but does not provide said access 
interface document to access the first service. 

7. The method as recited in claim 6, further comprising the client sending a request 
for said security credential to the address from said protected advertisement, wherein said 
request for said security credential includes an indication of a set of desired capabilities 
for the first service. 

8. The method as recited in claim 7, wherein said address from said protected 
advertisement is for an authentication service that determines a level of capabilities of the 
first service that client is authorized to access and generates said security credential to 
grant access for the client to said portion of the first service's capabilities. 
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9. The method as recited in claim 8, wherein said portion of the first service's 
capabilities is the lesser of said level of capabilities and said set of desired capabilities. 

10. The method as recited in claim 8, wherein said receiving a capability credential 
comprises receiving said capability credential from said authentication service. 

11. The method as recited in claim 6, wherein said protected advertisement further 
provides an address to request said access interface document to access the first service, 
wherein said using said capability credential to request an access interface comprises 
sending an advertisement request message to said address to request said access interface 
document. 

12. The method as recited in claim 6, wherein said receiving a protected 
advertisement comprises receiving said protected advertisement from a space service, 
wherein said space service comprises protected advertisements for a plurality of services 
including the first service, wherein each protected advertisement specifies an address for 
request a security credential to allow access to a corresponding service. 

13. The method as recited in claim 1, wherein said access interface document 
comprises a schema defining messages for accessing said portion of the first service's 
capabilities, wherein said using the interface from said access interface document to 
access a capability comprises sending a message according to said schema to the first 
service. 

14. The method as recited in claim 13, wherein said message includes said capability 
credential, the method further comprising the first service using said capability credential 
to authenticate said message as from the client. 

15. The method as recited in claim 1, wherein said access interface document 
comprises a message schema defining messages for accessing said portion of the first 
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service's capabilities, wherein said using the interface from said access interface 
document to access a capability comprises the client using said access interface document 
to construct a message gate for sending messages to the first service, wherein the message 
gate embeds said capability credential in each message. 

16. The method as recited in claim 15, wherein the message gate checks each message 
for compliance with said message schema. 

17. The method as recited in claim 16, wherein said message schema is an XML 
schema. 

18. A client device, comprising: 

a connection to a distributed computing environment; 

an interface coupled to said connection and configured to receive over the 
connection a capability credential, wherein said capability credential 
indicates that a client on the client device is allowed to access a portion of 
a first service's capabilities; 

wherein the interface is further configured to use said capability credential to 
request an access interface document to access the first service; 

wherein the interface is further configured to receive said access interface 
document over the connection, wherein said access interface document 
comprises an information for accessing only said portion of the first 
service's capabilities; and 
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wherein the interface is further configured to use the information from said access 
interface document to access over the connection a capability from said 
portion of the first service's capabilities. 

5 19. The client device as recited in claim 18, wherein the interface is configured to use 
said capability credential to request an access interface document by sending an 
advertisement request message in a data representation language, wherein said 
advertisement request message includes said capability credential. 

10 20. The client device as recited in claim 19, wherein said data representation language 
is extensible Markup Language (XML). 

21. The client device as recited in claim 19, wherein the interface is further 
configured to receive an advertisement request response message including a custom 

15 advertisement, wherein said custom advertisement is generated according to said portion 
of the first service's capabilities that said capability credential indicates the client is 
allowed to access. 

22. The client device as recited in claim 21, wherein said custom advertisement 
20 specifies an XML schema defining messages to be sent by the client to the first service 

and messages to be sent from the first service to the client to use said portion of the first 
service's capabilities. 

23. The client device as recited in claim 18, wherein the interface is further 
25 configured to receive a protected advertisement for the first service, wherein said 

protected advertisement provides an address to request said security credential, but does 
not provide said access interface document to access the first service. 

24. The client device as recited in claim 23, wherein the interface is further 
30 configured to send a request for said security credential to the address from said protected 
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advertisement, wherein said request for said security credential includes an indication of a 
set of desired capabilities for the first service. 

25. The client device as recited in claim 24, wherein said address from said protected 
5 advertisement is for an authentication service that determines a level of capabilities of the 

first service that client is authorized to access and generates said security credential to 
grant access for the client to said portion of the first service's capabilities. 

26. The client device as recited in claim 25, wherein said portion of the first service's 
10 capabilities is the lesser of said level of capabilities and said set of desired capabilities. 

27. The client device as recited in claim 25, wherein the interface is configured to 
receive said capability credential from said authentication service. 

15 28. The client device as recited in claim 23, wherein said protected advertisement 
further provides an address to request said access interface document to access the first 
service, wherein the interface is configured to use said capability credential to request an 
access interface document by sending an advertisement request message to said address to 
request said access interface document. 

20 

29. The client device as recited in claim 23, wherein the interface is configured to 
receive said protected advertisement from a space service, wherein said space service 
comprises protected advertisements for a plurality of services including the first service, 
wherein each protected advertisement specifies an address for request a security 

25 credential to allow access to a corresponding service. 

30. The client device as recited in claim 18, wherein said access interface document 
comprises a schema defining messages for accessing said portion of the first service's 
capabilities, wherein the interface is configured to use the information from said access 
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interface document to access a capability by sending a message according to said schema 
to the first service. 

31. The client device as recited in claim 30, wherein said message includes said 
5 capability credential so that the first service may use said capability credential to 

authenticate said message as from the client. 

32. The client device as recited in claim 18, wherein said access interface document 
comprises a message schema defining messages for accessing said portion of the first 

10 service's capabilities, wherein the interface is configured to use the information from said 
access interface document to access a capability by using said access interface document 
to construct a message gate in the client device for sending messages to the first service, 
wherein the message gate embeds said capability credential in each message. 

15 33. The client device as recited in claim 32, wherein the message gate is configured to 
check each message for compliance with said message schema. 

34. The client device as recited in claim 33, wherein said message schema is an XML 
schema. 

20 

35. A carrier medium comprising program instructions, wherein the program 
instructions are computer-executable on a client device to implement: 

receiving a capability credential, wherein said capability credential indicates that a 
25 client within the client device is allowed to access a portion of a first 

service's capabilities; 

using said capability credential to request an access interface document to access 
the first service; 

30 



Atty. Dkt. No.: 5181-70500 



174 



Conley Rose & Tayon, PC. 



receiving said access interface document, wherein said access interface document 
comprises an interface for accessing only said portion of the first service's 
capabilities; and 

using the interface from said access interface document to access a capability from 
said portion of the first service's capabilities. 

36. The carrier medium as recited in claim 35, wherein said using said capability 
credential to request an access interface document comprises sending an advertisement 
request message in a data representation language, wherein said advertisement request 
message includes said capability credential. 

37. The carrier medium as recited in claim 36, wherein said data representation 
language is extensible Markup Language (XML). 

38. The carrier medium as recited in claim 36, wherein the program instructions are 
computer-executable on the client device to further implement: 

receiving, in an advertisement request response message, a custom advertisement 
in response to sending said advertisement request message, wherein said 
custom advertisement is generated according to said portion of the first 
service's capabilities that said capability credential indicates the client is 
allowed to access. 

39. The carrier medium as recited in claim 38, wherein said custom advertisement 
specifies an XML schema defining messages to be sent by the client to the first service 
and messages to be sent from the first service to the client to use said portion of the first 
service's capabilities. 
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40. The carrier medium as recited in claim 1, wherein the program instructions are 
computer-executable on the client device to further implement receiving a protected 
advertisement for the first service, wherein said protected advertisement provides an 
address to request said security credential, but does not provide said access interface 

5 document to access the first service. 

41. The carrier medium as recited in claim 40, wherein the program instructions are 
computer-executable on the client device to further implement sending a request for said 
security credential to the address from said protected advertisement, wherein said request 

10 for said security credential includes an indication of a set of desired capabilities for the 
first service. 



42. The carrier medium as recited in claim 41, wherein said address from said 
protected advertisement is for an authentication service that determines a level of 

15 capabilities of the first service that client is authorized to access and generates said 
security credential to grant access for the client to said portion of the first service's 
capabilities. 

43. The carrier medium as recited in claim 42, wherein said portion of the first 
20 service's capabilities is the lesser of said level of capabilities and said set of desired 

capabilities. 

44. The carrier medium as recited in claim 42, wherein said receiving a capability 
credential comprises receiving said capability credential from said authentication service. 

25 

45. The carrier medium as recited in claim 40, wherein said protected advertisement 
further provides an address to request said access interface document to access the first 
service, wherein said using said capability credential to request an access interface 
comprises sending an advertisement request message to said address to request said 

30 access interface document. 
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46. The carrier medium as recited in claim 40, wherein said receiving a protected 
advertisement comprises receiving said protected advertisement from a space service, 
wherein said space service comprises protected advertisements for a plurality of services 
5 including the first service, wherein each protected advertisement specifies an address for 
request a security credential to allow access to a corresponding service. 



47. The carrier medium as recited in claim 35, wherein said access interface document 
comprises a schema defining messages for accessing said portion of the first service's 

10 capabilities, wherein said using the interface from said access interface document to 
access a capability comprises sending a message according to said schema to the first 
service. 

48. The carrier medium as recited in claim 47, wherein said message includes said 
15 capability credential so that the first service may use said capability credential to 

authenticate said message as from the client. 

49. The carrier medium as recited in claim 35, wherein said access interface document 
comprises a message schema defining messages for accessing said portion of the first 

20 service's capabilities, wherein said using the interface from said access interface 
document to access a capability comprises the client using said access interface document 
to construct a message gate for sending messages to the first service, wherein the message 
gate embeds said capability credential in each message. 

25 50. The carrier medium as recited in claim 49, wherein the program instructions are 
computer-executable on the client device to further implement the message gate checking 
each message for compliance with said message schema. 

51. The carrier medium as recited in claim 50, wherein said message schema is an 
30 XML schema. 
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